US7219134B2 - Network system - Google Patents

Abstract

A network system having a client, a content server, application servers and a proxy server is described. The proxy server relays content and data between the client, the content server and the application servers upon a request for content from the client. The application servers process the requested content in accordance with pre-established signature and content verification requirements before the content is relayed to the client. The applications servers also provide signature and content verification management for the network.

Description

INCORPORATION BY REFERENCE

This application claims priority based on a Japanese patent application, No. 2002-267551 filed on Sep. 13, 2002, the entire contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

In a network system wherein content existing on a server can be accessed from clients connected to the server through communication lines, the present invention relates to a proxy server that relays data to be communicated between the server and the clients, and a system using the proxy server.

It has been come into popular use for end users to download computer-executable programs and files of music and moving pictures, using a protocol called Hypertext Transfer Protocol (HTTP), and run programs or play music and moving pictures on the end users' personal computers. In this way of getting programs and information files over a network, it is an important problem to assure providing user terminals with security. It is possible that, for example, a malicious third party invades a Web server on the Internet and alters data of content (for example, a moving picture file or computer-executable program) existing on the server to program data polluted with a computer virus. In that event, when a user downloads the program to the user's terminal unconsciously and run the program, trouble will happen that data stored on the terminal is corrupted or that the user personal important information that should be secret is transmitted over a network freely by the malicious third party. As countermeasures against such trouble, a virus detection program is used to detect and eliminate computer viruses. The countermeasures using the virus detection program may be taken in the following two manners.

One method is running the virus detection program on end user's terminals or a Web server. Another method is running the virus detection program on a proxy server or a fire wall, wherein content being downloaded to a user terminal is checked for viruses in real time. A Web proxy is a Web communications intermediary technology via which Web data is transmitted from a server to a client. Description of the Web proxy is provided in Sections 1.3 and 1.4, R. Fielding, et al. RFC 2616 “Hypertext Transfer Protocol—HTTP/1.1” June, 1999, The Internet Society, <URL:http://www/ietf.org/rfc/rfc2626.txt>. The latter method in which virus detection is performed on the network is suitable for communication carriers that provide Internet connection services in providing users with security services as well.

As an advanced version of the latter technology, a Web proxy verifies digital signatures, as described in PCT Gazette WO 00/64122. According to this art, tampered content is detected as follows. First, a digital signatures to all content items stored on a Web server are generated beforehand. When content is downloaded via the Web proxy, the Web proxy verifies that the content being downloaded is authorized, using its digital signature. The digital signatures are generated and stored in a storage of the Web proxy beforehand. If authorized content is verified, the content is sent as is to the user that requested the content. If tampered content is detected, the Web proxy returns an error message or sends its original content stored beforehand on it to the user.

In the former method, it is difficult to install the virus detection program on all user terminals connected to the network. If a mobile phone is used as such a terminal, it is impossible to run the virus detection program on it. Even if virus check is performed on the server, there is a possibility of the checked data being polluted with a virus when it is routed over the network.

In the latter method by which the Web proxy performs virus detection, because the proxy at which traffic on the network rushes must perform the task of virus detection that is a heavy processing load, the processing performance of the proxy itself becomes very low. Another approach has been proposed in which the virus detection program runs on another server connecting to the proxy and data is exchanged between the server and the proxy. Even for this approach, the processing performance of the server on which the virus detection program runs is also a bottleneck.

In the art disclosed in WO 00/64122, because the proxy does not perform the virus scan, its processing load is reduced. However, increase in its processing load for decrypting digital signatures is inevitable.

As described above, the approach that an intermediary device on the network, instead of the server, performs additional processing of content being downloaded from the server to a client involves the problem that its processing load becomes too heavy.

Another problem also exists. The sequence of downloading a plurality of contents cannot be checked by prior art, even though such check would be desirable. For example, when a content and its metadata are downloaded, it cannot be checked whether the content is downloaded after the metadata is downloaded.

SUMMARY OF THE INVENTION

The present invention is characterized in that an intermediary communication device (referred to as a proxy server) provided between a client and a server comprises a unit that relays communication data which relays data to be communicated between the client and the server and a unit that calls out application server which encapsulates content received via the unit that relays communication data from the server into a predetermined format message, forwards the message to an application server, and receives the content and data returned as the result of additional processing performed by the application server. Consequently, the intermediary device on the network, instead of the server, is competent to instruct application servers to perform additional processing of content being downloaded to the client.

The proxy server includes a transfer control database in which conditions by which content is forwarded to one of the application servers and information about the application servers, required for forwarding the content, are set and stored. The unit that relays communication data parses an access request and information described for content to be accessed and the content is forwarded to an appropriate application server if the access request and the content-associated information satisfy the conditions stored in the transfer control database.

The unit that calls out application server parses the result returned from the application server and the content sent back from the server, the data returned from the application server, the content that has been cached on the proxy server previously, or an error message is sent back to the client. Thus, an appropriate response can be sent back to the client and data traffic between the application server and the proxy server can be reduced. Additional processing of content can be performed without reconfiguring the client and server.

The unit that relays communication data may cache content which may be verified content data received from the appropriate application server or content retrieved, according to its URL, via the network. When a particular content item subjected to additional processing provided by an application server should be sent back to a client as a quick response, the application server can instruct the proxy server to cache the content prior to client request for access to the content.

The network system of the present invention includes application servers; for example, a content registration server which registers content accepted from a content creator or provider (referred to as a content manager, also) by the registrant's application into a database, wherein the data of the content is checked by virus detection or the like and a digital signature (hereinafter referred to as, simply, a signature) is attached to the content before registering the content, a content verification server which checks the data of content to be registered by the registrant's application by virus detection or the like, and a signature verification server for verifying signatures.

According the present invention, the server stores signed content and the proxy server forwards the signed content being downloaded by client's request to the signature verification server. The signature verification server verifies the validity of the signature attached to the content and returns the result of verification to the proxy server. If the result of verification is valid, the proxy server sends back the content to the client. If the result is invalid, the proxy server returns an error to the client. The content data is verified beforehand and, when the content is downloaded, it can be ensured that the content data is valid by verifying only the signature attached to the content. Consequently, verified content can more quickly be distributed to clients.

For signature issuance and verification, private key and public key certificates stored on appropriate servers in the network system are used.

Specifically, the proxy server which relays signed content transmitted from the server to a client forwards the signed content to the signature verification server as one of the above-mentioned application servers. Signature verification prevents the content data from being tampered as it is routed over the network without requiring user terminals to run a content verification program. Security is assured while high throughput of the network is maintained.

The content registration server is provided with a function to make the proxy server cache verified content when registering content. This enables quicker sending back of secured content to a client in response to client request for access to a registered content item.

The content verification server includes a table for management of a plurality of security levels so that content verification by a security level that was set, based on a contract or the like can be performed.

Having received signed content, the signature verification server determines whether the content should be sent back to the client and returns the result of the determination to the above-mentioned proxy server. Specifically, the signature verification server performs a tampering check of content, which is achieved by verifying the signature of the content, and searches the database for the content ID specified in the signature and checks whether the content data is valid.

The task of signature verification is separated from the proxy server and assigned to another server, that is, the proxy server at which traffic rushes is made free from the heavy load of the signature verification task. Thus, the processing speed of the proxy server can be enhanced. Maintenance and operation would become easier because reconfiguration can be performed simply by signature verification server replacement and altering the transmission setting on the proxy server and it is not necessary to add a new software function or alter software for signature verification processing or stop the proxy server operation.

The database managed by signature verification servers always synchronize with the database of content registration servers. Thus, management can be performed such that content registration information is shared by the application servers within the network system of the present invention and its inconsistency does not occur.

A method for content verification of the present invention enables verifying whether a couple of content items are downloaded properly to a client by registering a plurality of content items in a couple on the content registration server. Specifically, the signature of a second content item is included in a first content item. When verifying the first content item, the signature verification server stores the signature of the second content item included in the first content item. When verifying the second content item, the signature verification server performs verification, using the stored signature of the second content item. Thus, it can be verified that the first and second content items are downloaded as those registered in a couple. Control is possible such that the couple of content items should be judged valid only when one content item is downloaded after the other content is downloaded.

In the present invention, content means digital data such as text files, multimedia data (for example, music files and moving picture files), or computer-executable programs.

According to the present invention, a high-speed or high-functionality content verification system can be realized without the need to reconfigure the clients and server.

These and other benefits are described throughout the present specification. A further understanding of the nature and advantage of the invention may be realized by reference to the remaining portions of the specification and attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram representing how a network system which enables content verification is built logically.

FIG. 2 is a diagram representing a functional configuration of aproxy server20.

FIG. 3 illustrates an example oftransfer control database22 structure.

FIG. 4 is a diagram representing a functional configuration of asignature verification server40.

FIG. 5 illustrates an example ofregistration database45 structure.

FIG. 6 is a diagram representing a functional configuration of acontent registration server50.

FIG. 7 illustrates an example of synchronizingregistration databases45.

FIG. 8 illustrates an example of a security management table provided in acontent verification system60.

FIG. 9 illustrates an example of signedcontent31 structure.

FIG. 10 illustrates a process flow example of a content registration procedure in the network system.

FIG. 11 illustrates another process flow example of a content registration procedure in the network system.

FIG. 12 illustrates a process flow example of a content deregistration procedure in the network system.

FIG. 13 illustrates a process flow example of downloading content in the network system.

FIG. 14 is a diagram representing a configuration of an information processing device; all devices employed in the present invention can be embodied in this configuration.

FIG. 15 shows an example of forming the network system according to another preferred embodiment of the invention.

FIG. 16 illustrates a process flow in a content verification method according to a further preferred embodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

All devices involved in illustrative embodiments of the present invention can be constituted as a general computer system, for example, as is shown inFIG. 14. A device is comprised of aCPU11, amemory12, areader13 which reads data from a removable andportable storage medium18 such as a CD-ROM, DVD-ROM, etc., anetwork interface14 for communicating with a corresponding node via anetwork9,external storage15 such as a HDD, and an I/O unit16 comprising a keyboard, mouse, and display. On each device, a computer program created to implement specific tasks is loaded into thememory12 beforehand and theCPU11 executes the computer program.

The computer program may be stored into theexternal storage15 beforehand or imported from another device via a removable storage medium or a communication medium.

Using the accompanying drawings, a first preferred embodiment of the present invention will be described below.

FIG. 1 is a simplified diagram representing how a network system is built in accordance with the first preferred embodiment of the invention.

In the first preferred embodiment, the network system is comprised of aclient10, aserver30, aproxy server20 which relays data to be communicated between theclient10 and theserver30, asignature verification server40 which verifies whether content should be sent to theclient10, using the signature attached to the content, acontent registration server50 which accepts content beforehand from the content manager such as the content creator or possessor, and generates a signature attached to the content, acontent verification server60 which checks the data of content received by thecontent registration server50, ancertificate authority70 which distributes a certificate revocation list containing revoked ones of public key certificates to be used when thesignature verification server40 verifies the signature, and acontent registrant terminal80 through which the content manager registers content with thecontent registration server50. All the above-mentioned devices are interconnected via anetwork9.

Theclient10 and theserver30 are connected via at least oneproxy servers20. Theproxy server20 connects to thesignature verification server40 and thesignature verification server40 connects to thecontent registration server50 and thecertificate authority70. Thecontent registration server50 connects to thecontent verification server60 and thecontent registrant terminal80.

On theclient10 device, a existing Web client application such as a Web browser runs. When theclient10 user wants to download content such as text data, moving picture data, or program files, stored on theserver30, theclient10 sends the server30 a message (access request) that requests theserver30 to send the content and receives the content.

When theserver30 on which a Web server program runs receives the access request from theclient10, it sends the requested content to theclient10. In the present preferred embodiment, theserver30 stores signedcontent31 which is illustrated inFIG. 9 in its storage.

Signedcontent31 is prepared prior to access request from theclient10 as follows. Content supplied from thecontent registrant terminal80 is registered on thecontent registration server50; at this time, the content data is checked by thecontent verification server60 and a signature is attached to the content so that the content is allowed to be downloaded to theclient10. Signatures in the present preferred embodiment are generated by public key encryption using a hash function.

The signedcontent31 illustrated inFIG. 9 comprisesoriginal content311 which may be text, a moving picture, a computer-executable program, or the like and asignature312 part which is used for verifying the validity of theoriginal content311. Thesignature312 part comprisessignature information3121, asignature value3122 obtained from encrypting thesignature information3121 with a private key, and apublic key certificate3123 including a public key required for decrypting thesignature value3122. Thesignature information3121 comprises asignature method3124 which indicates a hash function algorithm or the like, acontent ID3125 which is an ID uniquely assigned to the content by the present system, and a characteristic value (digest value) of thecontent3126 calculated by making the hash function act on the content data.

Theproxy server20 inFIG. 1 is provided with a function of relaying an access request sent from theclient10 to theserver30 and content in response to the request (relay function).Destination server30 information (such as a host name and IP address) is included in URL information on content described in the access request message.

Theproxy server20 is also provided with a cache function for caching content it relayed as a response.

Moreover, theproxy server20 forwards signedcontent31 as a response received from theserver30 to thesignature verification server40 with a request to verify itssignature312 if the content satisfies preset conditions (URL, extension, file type, etc. of the content). If the result of the verification returned has no problem, the proxy server sends the content to theclient10.

Communication between theproxy server20 and thesignature verification server40 may be preferably performed, using a communication protocol such as, for example, HTTP or Internet Content Adaptation Protocol (iCAP).

When thesignature verification server40 receives the signedcontent31 transmitted from theproxy server20, it verifies thesignature312, ascertains that the content is not tampered, and returns the verification result to theproxy server20.

Thesignature verification server40 receives and stores beforehand a certificate revocation list containing revoked ones of public key certificates to be used when it verifies thesignature312, distributed from thecertificate authority70. When it receives signedcontent31, it verifies the validity of the public key associated with the content by checking the public key certificate against the certificate revocation list.

Also, thesignature verification server40 stores information that proves the validity of content percontent ID3125 in aregistration database45.

Thecontent registration server50 performs signature issuance and content registration management.

Its signature issuance function is implemented as follows. Thecontent registration server50 accepts a content registration request from thecontent registrant terminal80, receives the content, and sends the accepted content to thecontent verification server60. When it receives the result of verification, it ascertains that the content data has no problem, generates asignature312 to the content, attaches thesignature312 to the content, and returns the result to thecontent registrant terminal80.

For example, when thecontent registration server50 accepts a request for registering a computer-executable program file, it requests thecontent verification server60 to check whether the program data includes computer viruses, whether a class library incorporated within the program to be referenced by the program may cause corruption of data stored on theclient10 terminal or unexpected transmission of the data to a third party, and other possibilities of danger. If the result of the verification is no problem, thecontent registration server50 adds asignature312 to the computer-executable program file.

The content registration management function is to generate a content ID that uniquely identifies accepted content throughout the system and manage content items, according to the validity of content per ID, using the database. This function comprises a function to add registration information for a new content item to the registration database when the content registrant registers content, a function to change the status information about a content item to “invalid” when the validity of the registered content item has lost, and a function to delete the information about an expired content item from the registration database. When a plurality ofsignature verification servers40 andcontent registration servers50 are provided for load sharing, one of thecontent registration servers50 is further provided with a function to distribute registration information about a content item to other servers when the content registrant makes an application for registration of the content item with it and the registration is accepted.

This function prevents inconsistency of registered content items between or among the plurality ofcontent registration servers50 and can avoid an overhead which would otherwise occur whenever eachsignature verification server40 queries the mastercontent registration server50 about registration information for a content item when verifying thesignature312 of the content item.

For example, assume that the content registrant registers content and, thereafter, makes an application for deregistering the content. The mastercontent registration server50 first accepts a request for registering content from thecontent registrant terminal80 and one of thecontent verification server60 checks the content data. Then, the mastercontent registration server50 assigns an ID to the content, registers the content as a new “valid” content item in the registration database, and sends the registration information about the new content item to thesignature verification servers40 and othercontent registration servers50 so that the registration databases on the servers are updated.

When the mastercontent registration server50 receives an application for deregistering the above content from thecontent registrant terminal80, it changes the status information for the content item to “invalid” if it is within the expiry date of the content or deletes the information about the content item from the registration database if the content is expired. Then, the mastercontent registration server50 instructs thesignature verification servers40 and othercontent registration servers50 to make the same change or deletion so that the registration databases on the servers are updated.

If theclient10 requests access to a content item that has been deregistered, the request is handled as follows. After thesignature verification server40 verifies the validity of thesignature312 of the signedcontent31 received from theproxy server20, it checks the content ID within thesignature312. Using the content ID as a key, thesignature verification server40 searches itscontent registration database45A and finds that the status of the content item is “invalid” or the content item has been deleted. Thesignature verification server40 notifies theproxy server20 that the content should not be sent to theclient10 as the verification result of the content item is invalid.

Thecontent verification server60 checks the content data received from thecontent registration server50, checks whether the content should be sent to theclient10, and returns the result of verification to thecontent registration server50. For example, thecontent verification server60 analyzes the content for possibilities of danger; for example, to see whether the data includes viruses, or to see whether a class library incorporated within the program to be referenced by the program may cause corruption of data stored on theclient10 terminal or unexpected transmission of the data to a third party.

Thecertificate authority70 distributes a certificate revocation list (CRL) to thesignature verification server40 periodically or at request of thesignature verification server40.

Thecontent registrant terminal80 is used for the content manager such as the content creator, possessor, or provider to register content with thecontent registration server50 and is provided with a user interface function allowing the content manager to make an application for registering content and registrant information or deleting a content item and a communication function with thecontent registration server50.

Thecontent registrant terminal80 may be a terminal on which a Web browser runs. The registrant as the user of the terminal starts the Web browser, accesses thecontent registration server50, and enters necessary information such as registrant information and a file path (location on a disk) of the content to be registered, which has been stored on thecontent registrant terminal80, into an entry form presented in the Web browser window as a response, and click a “register” button. Then,content registrant terminal80 transmits an application for registering the content and electronic data of the content to thecontent registration server50. Thereafter, as a response from thecontent registration server50, the result of registration of the content is displayed on the screen and the signed content is downloaded.

When the registrant has made an application for deregistering a content item, the result of deregistration of the content is displayed on the screen. If the registration or deregistration is unsuccessful, an error message is returned. The singedcontent31 as the response once received by the registrant is supplied to theserver30 and stored into the storage such as a hard disk on theserver30. For the method of supply, the signedcontent31 can be transferred from thecontent registrant terminal80 to theserver30 over a secure transmission path set up therebetween; alternatively, it is possible to store the signedcontent31 on a storage medium such as a flexible disk and transport the disk to theserver30.

In the configuration shown inFIG. 1, the functions realized by a plurality of devices may be physically realized by a single device. For example, the functions of thesignature verification server40 may be incorporated into theproxy server20. The functions realized by a single device may be physically realized by a plurality of devices. For example, the signature issuance and content registration management functions of thecontent registration server50 may be realized by separate servers which communicate with each other via the network.

UsingFIGS. 2 to 14, the first preferred embodiment of the invention will be further described.

FIG. 2 is a diagram representing a configuration of theproxy server20 in the present preferred embodiment.

Theproxy server20 in the present preferred embodiment is comprised of a unit that relayscommunication data21 which relays data to be communicated, atransfer control database22 in which conditions and information for forwarding communication data to thesignature verification server40 are stored, and a unit that calls outapplication server23 for making connection to thesignature verification server40.

The unit that relayscommunication data21 receives an access request transmitted from theclient10 and forwards it to theserver30 designated by the URL specified in the access request message. Also, this unit receives non-signed content sent back from theserver30 and forwards it to theclient10.

When the unit that relayscommunication data21 receives signedcontent31, it passes the signedcontent31 which is unverified to the unit that calls outapplication server23 in order to forward it to thesignature verification server40, based on the conditions and information stored in thetransfer control database22. Thereafter, when the unit that relays communication data receives a “verification successful” message as the result of verification ororiginal content311 as a response from thesignature verification server40, it sends back theoriginal content311 to theclient10. When the unit receives the signedcontent31 as the response, it removes thesignature312 from the content and sends back theoriginal content311 or the signedcontent31 as is to theclient10. Whether or not thesignature312 should be removed is determined by setting of theproxy server20. If the unit receives a “verification unsuccessful” response message, it sends an error notification to theclient10. If the unit receives content other than theoriginal content311 as the response, it may send the received content as is to theclient10.

Thetransfer control database22 is a table-form database wherein atransfer condition field221 entry is used as a search key, as is illustrated inFIG. 3. This database is used for managing the conditions for forwarding signedcontent31 to thesignature verification server40. Theentries225 of thetransfer control database22 are as follows. In thetransfer condition field221, a condition that triggers transmission of signedcontent31 to thesignature verification server40 is stored. In thedestination URL field222, a destination URL of thesignature verification server40 to which theproxy server20 transmits the signed content matched with the entry in thetransfer condition field221 is stored. In theservice designation field223, a service to be executed for the signed content matched with the entry in thetransfer condition field221 is stored. In thetiming field224, information as to when theproxy server20 transmits the signedcontent31 matched with the entry in thetransfer condition field221 to thesignature verification server40 is stored.

For example, on a row of theentries225 marked out inFIG. 3, extension=“.exe” exists in thetransfer condition field221 and, therefore, a content file with URL including extension “.exe” specified in the access request message received from thecline10 matches this condition. For the matched content data to be communicated, a “virus scan” service must be executed. To do this, the signedcontent31 is forwarded to thesignature verification server40 designated by URL “http://webservicel/virus_scan.cgi” “upon reception of content” from theserver30.

In some embodiment, the URL of a destinationsignature verification server40 may be specified in thesignature312 attached to content and the signedcontent31 received be forwarded to thesignature verification server40 designated by the URL described within thesignature312.

When theproxy server20 is going to transmit signedcontent31 to thesignature verification server40, the unit that calls outapplication server23 inFIG. 2 establishes connection to thesignature verification server40 and creates a message32 including the signedcontent31. This message is constructed, for example, by appending URL321 as the destination to access, which is specified in the access request message from theclient10 and stored on theproxy server20, to the signedcontent31 illustrated inFIG. 9. The use of theURL312 as the destination to access makes it possible to check whether the signedcontent31 is downloaded from the correct URL where it must be located when thesignature verification server40 verifies thesignature312.

FIG. 4 shows a configuration example of thesignature verification server40.

A unit that acquiressignatures41 parses the message32 transmitted from theproxy server20 and gets the signedcontent31 which is unverified. Then, it takes out thesignature312 attached to thecontent31, takes out thepublic key certificate3123 which is required for verifying the validity of thesignature312 from thesignature312 of thecontent31, and passes the public key certificate to a unit that verifiescertificates42.

As the result of verification, if thepublic key certificate3123 is valid, the unit that verifiescertificates42 gives the public key to the unit that acquiressignatures41. The unit that acquiressignatures41 passes thesignature312 and pubic key to a unit that verifiessignatures44 from which it gets the result of verification of thesignature312. As the result of this verification, if it is ascertained that thecontent31 is “valid,” the unit that acquiressignatures41 returns a “verification successful” message to theproxy server20. Together with this message, the unit may send theoriginal content311 or signedcontent31 for which verification was successful to theproxy server20.

If the unit that acquiressignatures41 receives a verification unsuccessful response from the unit that verifiescertificates42 because the public key certificate is invalid or if it is notified that thecontent31 is “invalid” or “void” as the result of verification from the unit that verifiessignatures44, it notifies theproxy server20 of verification unsuccessful. A function may be added to send a message that prompts the registrant of the content to deregister the content from theserver30 when the content has proved invalid.

The unit that verifiescertificates42 receives a certificate revocation list (CRL) from thecertificate authority70 periodically or when required and stores this list into the certificaterevocation list database43 for management. Having received thepublic key certificate3123 from the unit that acquiressignatures41, the unit that verifiescertificates42 first checks whether the public key certificate is expired and annulled. Then, referring to the certificaterevocation list database43, the unit that verifiescertificates42 checks whether thepublic key certificate3123 is revoked. When thepublic key certificate3123 has proved valid, the unit that verifiescertificates42 passes the public key existing within thepublic key certificate3123 to the unit that acquiressignatures41 as the result of processing. If the public key certificate is invalid, the unit that acquiressignatures41 is notified of verification unsuccessful.

Having received thesignature312 and the public key from the unit that acquiressignatures41, the unit that verifiessignatures44 verifies thesignature312. It passes thecontent ID3125 from the signature32 to a unit that managesregistration information46A where the registration database is searched for the status of registration of the content. As the result of search, if the status of the content registration is valid, the unit that acquiressignatures41 is notified of result “valid.” If the status is invalid or void, the unit that acquiressignatures41 is notified of result “invalid.”

Theregistration database45A is a table-form database wherein acontent ID3125 entry is used as a search key and this database is used for content registration status management. The content registration status indicates that the status of a content item is “valid” (that is, the content should be sent to theclient10 as a response) or “void” (that is, the content should not be sent to theclient10 as a response). The status of a content item is set “valid” when the content has been registered on thecontent registration server50 and it is within its expiry date. The status of a content item is set “void” when the registrant's application for deregistering the content has been issued to thecontent registration server50 and the content deregistered, though the content has previously been registered on thecontent registration server50 and it is within its expiry date. When a content item is expired or an application for registering the content is not issued to the content registration server50 (not registered in theregistration database45A), it is made “invalid.”

Difference between “void” and “invalid” may be reflected in logs output from thesignature verification server40 and theproxy server20 and a response message sent back to theclient10 or a messages mailed to the registrant of the content.

An example ofregistration database45A structure is illustrated inFIG. 5.

In thecontent ID field451, acontent ID3125 uniquely assigned to a registered content item within the system is stored. In thestatus field452, the status of registration of the content which has been described above is stored. In theexpiry date field453, the expiry date of the registered content is stored. A content item whose expiry date passed is made invalid and the registrant of the content has to perform its re-registration (renewal) to make it return to service.

In theURL field454, an URL where the registered content is located on the network is stored. In theregistrant information field455, the person information as to the registrant of the content, such as, address, name, and e-mail address, is stored. In the field of when it was invalided456, the date when the content was deregistered by the registrant's application for deregistering the content issued to thecontent registration server50 is stored. In thesecurity level field457, a security level associated with the content is stored, which is used for processing by thecontent verification server60 and will be described later.

The unit that managesregistration information46A inFIG. 4 searches theregistration database45A and updates the database. Having received a search request for acontent ID3125 from the unit that verifiessignatures44, the unit that managesregistration information46A searches theregistration database45A for thecontent ID3125, judges the registration status of acontent ID3125 from the information stored in thestatus field452 of the content, and notifies the unit that verifiessignatures44 of result “valid,” “void”, or “invalid.” Having received an update request (for registration or deletion) from thecontent registration server50, the unit that managesregistration information46A updates the contents of theregistration database45A, according the request. In possible embodiment, theregistration database45A is not stored within thesignature verification server40; instead, another server manages an integrated database of registration, wherein thesignature verification server40 sends acontent ID3125 and a search request for registration information to that server over the network.

FIG. 6 shows a configuration example of thecontent registration server50.

When the content registering/deregisteringunit51 receives an access request from thecontent registrant terminal80, it sends back an entry form window interface which is used for the registrant to enter necessary information, and accepts an application for registering or deregistering (deleting) content. Then, the content registering/deregisteringunit51 receives necessary information such as registrant information andoriginal content311 from thecontent registrant terminal80. When having accepted the application for registering the content, the content registering/deregisteringunit51 sends theoriginal content311 to be registered with a request for verifying the content data to thecontent verification server60. If the result of verification has no problem, the content registering/deregisteringunit51 requests the unit that managesregistration information46B to register the content and getscontent ID3125. Then, the content registering/deregisteringunit51 passes theoriginal content311 and the obtainedcontent ID3125 to a unit that generatessignatures52. After getting signedcontent31 from the unit that generatessignatures52, the content registering/deregisteringunit51 sends back the result of action and the signedcontent31 to thecontent registrant terminal80. When having accepted the registrants application for deregistering content, the content registering/deregisteringunit51 prompts the registrant to enter thecontent ID3125 or URL from thecontent registrant terminal80. Using the registrant-specifiedcontent ID3125 or URL as the search key, the content entry is searched out from the database and deleted.

Having receivedcontent ID3125, the unit that generatessignatures52 creates signedcontent31 illustrated inFIG. 9. At this time, the unit that generatessignatures52 gets the relevant private key and public key certificates required for generating asignature312 to the content from a unit that manageskeys53 where such key certificates are stored securely.

The unit that managesregistration information46B is essentially the same as the unit that managesregistration information46A shown inFIG. 4. When the unit that managesregistration information46B receives a request for registering content, its additional function is to create a new entry in theregistration database45B and assign acontent ID3125 that is not in use to the content. When the unit that managesregistration information46B receives acontent ID3125 or URL and a request for deleting content, it searches theregistration database45B for a content entry matching with the search key that is the receivedcontent ID3125 or URL and deletes the matched content entry.

Moreover, the unit that managesregistration information46B has the following function. When a content item is registered or deregistered, this unit instructs othercontent registration servers50 andsignature verification servers40 to register or delete the same content into/from theirregistration databases45, using communication over the network. This function makes it possible to assure consistency of the contents of all the databases. Theregistration database45B is the same as theregistration database45A illustrated inFIG. 5.

FIG. 7 illustrates an example of a method of synchronizing theregistration databases45 respectively used by remote units that manage registration information46 over the network. In a case where a plurality ofcontent registration servers50 are provided, synchronizing a plurality ofregistration databases45 is important. In order to avoid inconsistent contents of the databases andcontent ID3125 duplication,registration databases45 are prepared so that latest information is always stored therein and onecontent registration server50A is positioned as the master. When anothercontent registration server50B (slave) receives an application for registering content, its content registering/deregisteringunit51 passes the request for registering content to the unit that managesregistration information46B. Through communication over the network, the request for registering content is then transferred to the contentregistration server master50A and acontent ID3125 is assigned to the content. Using thiscontent ID3125, theregistration databases45B are updated and asignature312 is generated. Thus, thecontent ID3125 can be shared between thecontent registration servers50 and its duplication can be avoided.

FIG. 8 illustrates an example of a table-form database provided in thecontent verification server60, which is used for verifying the contents of a computer-executable program file.

This database is used to determine a security level, according to functions to be used in a computer-executable program file and class libraries incorporated in the program. Perentry row620, the table has asecurity level field611 to contain a value indicating a program security level, function designation fields612 through614, and class library designation fields615 through617. The table example ofFIG. 8 gives information that aprogram using function1 and a program in whichclass library1 is incorporated havesecurity level2.

The security level that thecontent verification server60 determined by referring to the above database when verifying content is compared with the security level specified by the registrant of the content and contained in thesecurity level field457 in theregistration database45 illustrated inFIG. 5. By this comparison, content distribution can be restricted by a security level, according to the contract made between the operator of the present system and the content registrant. For example, the following arrangements can be made: content registrant A who pays a rather high contract rate to the operator of the system is allowed to distribute programs of a lower security level, whereas content registrant B who pays a rather low contract rate to the operator can distribute only programs of high security level.

FIG. 10 illustrates a process flow example of a content registration procedure starting with the registrant's application for registering content, primarily carried out by the content registration server,master50A.

First, the registrant of content enters necessary information includingregistrant information455, using a Web browser, at the content registrant terminal80 (S501). The necessary information andoriginal content311 are sent to the content registration server,master50A (S502). The content registering/deregisteringunit51 receives necessary information including theregistrant information455 and the content311 from thecontent registrant terminal80 and sends thecontent311 to the content verification server60 (S503, S504). Thecontent verification server60 verifies the content (S505) and returns the result of verification (S506).

The content registration server,master50A checks the content verification result returned (S507). If there is no problem (for example, the program does not include viruses, or the program does not use functions of low security), the unit that managesregistration information46B assigns ancontent ID3125 that is not in use to the content (S510). Then, the unit that generatessignatures52 generates a signature312 (S511). Then, anew content entry459 is added to theregistration database45B (S512). Furthermore, the unit that managesregistration information46B instructs thesignature verification server40 and anothercontent registration server50 to update the registration databases (register the content into the databases) (S513 through S515). Finally, the content registering/deregisteringunit51 sends a notification of result “registration procedure complete” together with the signedcontent31 to the content registrant terminal80 (S516, S517).

If a problem is detected in the verification result in step S507, the content registering/deregisteringunit51 sends a notification of result “unsuccessful content verification” to the content registrant terminal80 (S508, S509).

FIG. 11 illustrates a process flow example of a content registration procedure starting with the registrant's application for registering content, primarily carried out by a slavecontent registration server50B.

The S501 through S509 are the same as the corresponding ones ofFIG. 10. Following S507, registering the content with the content registration server,master50A is performed (S601). The content registration server,slave50B sends theregistrant information455 and thecontent31 to the content registration server,master50A (S602). Themaster server50A assigns acontent ID3125 to the content (S603), updates theregistration database45B (S604), and transfers thecontent ID3125 to the content registration server,slave50B (S605). S605 and subsequent steps are the same as S511 through S517 ofFIG. 10.

FIG. 12 illustrates a process flow example of a content deregistration procedure starting with the registrant's application for deregistering content, carried out by thecontent registration server50.

First, the content registering/deregisteringunit51 receives the URL orcontent ID3125 of a content item to be deregistered (deleted) by the registrant's application from thecontent registrant terminal80 and the unit that managesregistration information46B searches theregistration database45B for the content (S201). It is checked whether there is the content to be deleted (S202). If it is found, its expiry date field is checked and whether it is within the expiry date is checked (S203). If it is within the expiry date, thestatus452 is changed to “void” (S204). If it is beyond the expiry date, the entry row itself is deleted (S205). Then, the unit that managesregistration information46B directs thesignature verification servers40 and othercontent registration servers50 to update their registration databases (delete the content from the databases) (S206). Finally, the content registering/deregisteringunit51 sends a notification of result “deregistration procedure complete” to the content registrant terminal80 (S207). If the content to be deleted is not found instep S202, the content registering/deregisteringunit51 notifies thecontent registrant terminal80 of an error message (S208).

Then, a process flow example of expiry date check in theregistration database45, which should be performed periodically on the mastercontent registration server50, will be explained.

First, the unit that manages registration information46 refers to theentries459 in theregistration database45 and checks whether there is an unreferenced entry. If it is found, whether it is beyond the expiry date is checked by referring to theexpiry date field453. If it is beyond the expiry date, the entry row is deleted. If it is within the expiry date, the entry row is not deleted. The above action is repeated forother entries459, if exist. If unreferenced entries no longer exist, the unit that managesregistration information46B directs thesignature verification servers40 and othercontent registration servers50 to update their registration databases by making the same deletion.

FIG. 13 illustrates a process flow example of handling a request for access to signedcontent31 issued from theclient10.

First, theclient10 sends an access request to the proxy server20 (S701, S702). Theproxy server20 checks whether the content to be accessed has been cached on it (S703). If it has been cached, the proxy server sends the cached content to the client (S704, S705). If not, the proxy server forwards the access request to the server30 (S706).

After theserver30 sends back signedcontent31 to the proxy server20 (S707, S708), theproxy server20 forwards thecontent31 to the signature verification server40 (S709, S710). Thesignature verification server40 verifies the signature as additional processing and returns the result (S711, S712). At this time, together with the result, the verifiedoriginal content311, signedcontent31, or an error message may be sent to theproxy server20.

Then, theproxy server20 sends the verifiedoriginal content311, signedcontent31, or the error message to the client10 (S713, S714) and caches the original content or signedcontent31 if cache space is available for the content (S715).

If signedcontent31 is sent to the proxy server in steps S711, S712, theproxy server20 may remove thesignature312 from the signedcontent31 in step S713 and send theoriginal content311 to theclient10. If the URL of another content is specified in theoriginal content311 verified by thesignature verification server40, the proxy server may request the server to access the URL and retrieve the content and send the content received from the server to theclient10.

In possible embodiment, when registering content by the registrant's application, thecontent registration server50 may instruct the unit that relayscommunication data21 of theproxy server20 to cache the verified content. The advantage hereof is quick response to access request because the content registered by thecontent registration server50 is immediately cached on theproxy server20. When access to the content is requested from theclient10, the cached content is always sent back to the client unless the content is uncached.

In a second preferred embodiment of the invention, which is shown inFIG. 15, a plurality ofproxy servers20 are provided and anencrypted communication channel901 is established between twoproxy servers20A and20B.Clients10 can connect to a proxy server at near location.

In the second preferred embodiment, oneproxy server20A with the caching advantage that enables quick response to aclient10, another proxy server B that is nearer to theserver30, and thesignature verification server40 are operated separately; consequently, the distributed functions enable load sharing in the system. It is also possible that different operators run respective proxy servers which have different functions; for example, a communication carrier provides and maintains theproxy server20A and a corporation or a content provider provides and maintains theproxy server20B.

Next, a third preferred embodiment of the invention will be described which is illustrated by another example of process flow of downloading content, using the invented network system and content verification method. Downloading content through the network to a PC or cellular mobile phone is performed in the following sequence.

Before downloading content itself, download a file called metadata in which supplementary information such as the URL where the content is located is described. Then, parse the information described in the metadata, download the content itself, based on the thus obtained information, and execute the content.

In the third preferred embodiment, thesignature312 of the content is appended to the metadata. The metadata includes itssignature312 and thesignature312 of the content that is coupled with the metadata. Thesignature verification server40 stores thesignature312 of the content when the metadata is downloaded and verifies the content which is downloaded later, using the storedsignature312.

Linking metadata with the URL of a content item is performed when thecontent registration server50 registers the content item. Thesignature verification server40 receives this linking information from thecontent registration server50 and manages the linking information in a table. Using this linking table, thesignature verification server40 also manages locations where themetadata signature312 attached to the metadata and thecontent signature312 are stored. When having received metadata or content having a URL not registered in this table, thesignature verification server40 handles it as an illegal access error. Furthermore, it is preferable to set expiry dates for thesignatures312 of content items to be stored on thesignature verification server40 beforehand; this can prevent unnecessary consumption of the memory resources of the server.

UsingFIG. 16, the third embodiment will be explained fully. When theclient10 sends a request for access to metadata to the proxy server50 (S801), theproxy server50 checks whether the metadata object to be accessed has been cached on it. If it has been cached, the proxy server sends the cached metadata to the client10 (S802). If not, the proxy server forwards the access request to the server30 (S803).

After theserver30 sends back signed metadata to the proxy server20 (S804), theproxy server20 forwards the metadata to the signature verification server40 (S805). Thesignature verification server40 verifies themetadata signature312, stores both themetadata signature312 andcontent signature312 included in the metadata, registers their locations into the linking table (S806), and returns the result (S807). Then, theproxy server20 sends the verified metadata or an error message to the client (S808) and caches the metadata if cache space is available for the metadata (S810).

Theclient10 parses the received metadata (S809) and sends a request for access to the content designated in the metadata to the proxy server20 (S811). Theproxy server20 checks the content (whosesignature312 has been verified) to be accessed has been cached on it. If it has been cached, the proxy server sends the cached content to the client10 (S812). If not, the proxy server forwards the access request to the server30 (S813). After theserver30 sends back the content to the proxy server20 (S814), the proxy server forwards a message32 comprising the content and the URL as the destination to access321 to the signature verification server40 (S815).

Thesignature verification server40 searches the linking table for an object matching with the URL of the content as the search key and searches for thesignature312 of the content stored when the metadata was downloaded before and managed under the entry of the metadata coupled with the content. If the storedsignature312 of the content is found, then, thesignature verification server40 verifies the content (S816) and returns the result. If not, thesignature verification server40 returns an error (S817). Then, theproxy server20 sends the verified content or an error message to the client10 (S818) and caches the content if cache space is available for the content (S819).

If a plurality ofsignature verification servers40 are provided in this embodiment, content must be verified by asignature verification server40 that verified the metadata coupled with it. For this reason, theproxy server20 manipulates data so that content is surely forwarded to the specifiedsignature verification server40. Specifically, the content's URL described in the metadata sent back to theproxy server20 in step S807 or the status information of the HTTP session stored in the HTTP header used when transmitting content and metadata (for example, a cookie header) is rewritten or additionally written and theID3125 that identifies thesignature verification server40 that is to verify the content is added.

For example, content's URL “http://server A/metadata” should be written to “http://server A/metadata?signature verification server=01.” Because the client sends a request for access to content with the rewritten URL in step S811, theproxy server20 parses the additional portion of the URL “signature verification server=01” following the question mark “?” and forwards the content to the specifiedsignature verification server40 during the process of downloading the content.

For cookie, for example, header “Set-Cookie2: signature verification server=01” should be appended to the HTTP message to be exchanged between theproxy server20 and thesignature verification server40. When theproxy server20 receives a request with the cookie header “Cookie: signature verification server=01” from theclient10, it parses the cookie header and can forward the content to the specifiedsignature verification server40 as is the case for the URL example. Because theproxy server20 has the information stored as to thesignature verification server40 to which the metadata was forwarded, theproxy server20 may describe the cookie header and append it to the metadata which is sent back to theclient10.

The third preferred embodiment have the following two advantages:

First, it can be verified whether content is downloaded in conjunction with its proper metadata. Content's URL is described in the metadata and theclient10 requests access to the content after parsing the metadata. However, verifying metadata and content separately cannot detect false metadata written by a third party for accessing to content. For protection, thecontent signature312 is attached to the metadata so that it can be verified that proper content and metadata coupled together are downloaded.

Second, content to be provided is not manipulated and, therefore, downloaded content, even if it is downloaded without utilizing the invented network system, can be executed on theclient10 without trouble. For example, from mobile phones, access to content and metadata must be performed through the invented network system. From PCs, however, such access is possible without the intervention of the invented network system. In the latter case, when downloading signed metadata and content, the device to which the metadata with irrelevant data (signatures312) was downloaded normally ignores the irrelevant data without judging it as an error because the metadata is supplementary data and it is not executed. However, if the device attempts to execute signed content, there is a possible of an error due to the data irrelevant to the content (that is, the signature312) attached to the content. By including content's signature in metadata as in this embodiment, this kind of errors on theclient10 can be avoided.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereto without departing from the spirit and scope of the invention as set forth in claims.

Claims (2)

1. A network system comprising:

a client which sends an access request to a server;

the server which receives the access request from the client and distributes content;

application servers, each of which performs, upon reception of content, additional processing of the content and returns processed content and data to a unit that sent the content to it;

a proxy server which relays data to be communicated between the client and the server, said proxy server comprising:

a unit that relays communication data which receives the access request from the client and forwards it to the server and receives the content from the server,

a unit that calls out application server which receives content from the unit that relays communication data, encapsulates the content into a predetermined format message, forwards the message to one of the application servers, and receives the content and result of additional processing performed by the application server,

wherein the unit that relays communication data sends data based on the result to the client,

wherein the unit that relays communication data caches the content sent back from the server, and, when having received a request for access to the cached content from the client, sends back the cached content to the client if it is within its expiry date which has been indicated by the metadata of the content or set on the proxy server beforehand, and

wherein the unit that relays communication data caches the processed content received from one of the application servers or content retrieved via the network, according to information indicating a processed content location on the network;

a content registration server which accepts content from a content manager;

a content registrant terminal on which a program runs to provide an interface for registering content with the content registration server;

a content verification server which receives content from the content registration server and checks the content data by a predetermined method;

wherein the content registration server creates signed content by attaching a signature to content received from the content registrant terminal if the content verification server has verified that the content satisfies predetermined conditions;

wherein one of the application servers is a signature verification server which verifies the signature of the signed content, said signature verification server comprising:

a unit that acquires signatures which takes out a signature from signed content that is unverified received from the proxy server,

a unit that verifies certificates which verifies the validity of a public key certificate to be used for verifying the signature;

a certificate revocation list database for management of a certificate revocation list to be used for verifying the validity of a public key certificate,

a unit that verifies signatures for verifying signatures;

a registration database for storing registration information per content ID included in a signature, and

a unit that manages registration information for managing the registration information per content ID;

the server stores the signed content created by the content registration server;

the proxy server forwards the signed content received from the server to the signature verification server and determines whether the signed content should be sent to the client, according to the result of verification returned; and

wherein the signature verification server communicates with the content registration server so that the registration database is synchronized with the same database on the content registration server.

2. A network system comprising:

a client which sends an access request to a server;

the server which receives the access request from the client and distributes content;

application servers, each of which performs, upon reception of content, additional processing of the content and returns processed content and data to a unit that sent the content to it;

a proxy server which relays data to be communicated between the client and the server, said proxy server comprising:

a unit that relays communication data which receives the access request from the client and forwards it to the server and receives the content from the server,

a unit that calls out application server which receives content from the unit that relays communication data, encapsulates the content into a predetermined format message, forwards the message to one of the application servers, and receives the content and result of additional processing performed by the application server,

wherein the unit that relays communication data sends data based on the result to the client,

wherein the unit that relays communication data caches the content sent back from the server, and, when having received a request for access to the cached content from the client, sends back the cached content to the client if it is within its expiry date which has been indicated by the metadata of the content or set on the proxy server beforehand, and

wherein the unit that relays communication data caches the processed content received from one of the application servers or content retrieved via the network, according to information indicating a processed content location on the network;

a content registration server which accepts content from a content manager;

a content registrant terminal on which a program runs to provide an interface for registering content with the content registration server;

a content verification server which receives content from the content registration server and checks the content data by a predetermined method;

wherein the content registration server creates signed content by attaching a signature to content received from the content registrant terminal if the content verification server has verified that the content satisfies predetermined conditions;

wherein one of the application servers is a signature verification server which verifies the signature of the signed content;

the server stores the signed content created by the content registration server;

the proxy server forwards the signed content received from the server to the signature verification server and determines whether the signed content should be sent to the client, according to the result of verification returned;

wherein

a signature to a second content item is included in a first content item;

when verifying the first content item, the signature verification server stores the signature of the second content item included in the first content item; and

when verifying the second content item, the signature verification server performs verification, using the stored signature of the second content item.

Images